Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.
How Passwords Are Verified infographic - Passwords Are Verified

Click image to open full size

Computer Science

How Passwords Are Verified

Passwords Are Verified

Download PNG Save to Pinterest

Related Tools

Related Labs

Related Worksheets

Related Cheat Sheets

Password verification is the process a system uses to decide whether a login attempt matches an account without needing to store the actual password. This matters because password databases are frequent targets for attackers, and storing readable passwords can expose every user at once. A secure system transforms the password into a protected value before saving it, then repeats the transformation during login to check for a match. Good password verification reduces the damage from data leaks and makes large scale guessing attacks much harder.

Key Facts

  • A secure system stores hash = H(salt || password), not the plaintext password.
  • A salt is a random value stored with each account so identical passwords produce different hashes.
  • During login, the server computes H(stored salt || entered password) and compares it with the stored hash.
  • Slow password hashing functions such as Argon2, bcrypt, or scrypt are preferred over fast general hashes like SHA-256 alone.
  • Estimated brute force time = number of guesses needed / guesses per second.
  • Multi-factor authentication adds another check, so access requires password match + second factor match.

Vocabulary

Plaintext password
A plaintext password is the original readable password typed by the user before any protective transformation.
Hash function
A hash function maps input data to a fixed length output in a way that is designed to be hard to reverse.
Salt
A salt is a unique random value added to a password before hashing to prevent identical passwords from having identical stored hashes.
Password hashing function
A password hashing function is a deliberately slow and configurable algorithm used to make password guessing expensive for attackers.
Constant-time comparison
A constant-time comparison checks two values without stopping early, reducing the chance that timing differences reveal useful information.

Common Mistakes to Avoid

  • Storing passwords in plaintext is wrong because anyone who reads the database can immediately use every password.
  • Using the same salt for every user is wrong because attackers can still compare accounts and reuse precomputed guessing work.
  • Hashing with a fast general-purpose hash alone is wrong because attackers can try billions of guesses per second on specialized hardware.
  • Returning overly specific login errors is wrong because messages like password incorrect but username exists can help attackers identify valid accounts.

Practice Questions

  1. 1 A password hashing function is configured to take 0.20 seconds per guess on one computer. How long would 10,000 guesses take on that computer, in seconds and in minutes?
  2. 2 An attacker can test 5,000,000 password guesses per second against unsalted fast hashes. How long would it take to test 2,000,000,000 guesses?
  3. 3 Explain why two users with the same password should still have different stored hash values in a well-designed password system.